From the September 2016 issue of HealthCare Business News magazine
By Phyllis Garrison and Jackie McGuinn
On March 21, 2016, providers added a new regulatory compliance assessment to their checklist of HIPAA accountability. The Department of Health and Human Services, Office for Civil Rights announced the start of the Phase 2 HIPAA Audit Program to ensure that “policies and procedures adopted by covered entities and their business associates meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
Earlier this year, many provider organizations received notice that they potentially would be on the list for desk or onsite audits. Indianapolis- based Eskenazi Health, one of the largest safety net health systems, that provides care to nearly 1 million outpatient visitors each year, was one of those organizations. According to OCR, the criteria for organizations most likely to be audited this year include: the size of the entity; affiliation with other health care organizations; the type of entity and its relationship to individuals; whether an organization is public or private; geographic factors; and present enforcement activity with OCR.
The challenge for all provider organizations is the continuous review of vendor relationships to determine which qualify as business associates, and then to request Business Associate Agreements that comply with HIPAA regulations. For many organizations this process is largely manual. For Eskenazi, solving that challenge included working with GHX to help centralize business associate management via one electronic solution, giving the organization greater visibility and control over these relationships. In 2008, Eskenazi Health had only a small number of vendors classified as business associates. Today, the organization manages hundreds of business associates, and the list is only growing.
The key to surviving OCR reviews is that an organization must have control of its contractual relationships (including purchase orders) in order to be HIPAA compliant. The challenge is in how to do it. The consequences for being noncompliant are too significant to ignore or to delay implementing best practices. What follows are some of the approaches that have helped Eskenazi to be prepared and compliant with the new regulations.
Use a comprehensive vendor and contract management process.
This should be the source of truth for all vendor relationships. Route each new contract through the privacy and security officers for BA evaluation. Then obtain a BAA, if necessary. All BAAs should be maintained in a central location, managed and signed by a privacy officer in collaboration with supply chain, purchasing and finance. If a contract is not in place with a vendor, the process should allow the privacy officer to vet the relationship during the on-boarding process to determine if a BAA is necessary.